Linux rootkits abuse SSH service
Security specialists at the Internet Storm Center have reported on a very special backdoor which is currently being found on compromised Linux servers where the attackers have manipulated a library in the SSH service. Apparently, mainly RPM-based systems are affected, but how the attackers get into the server is not yet known.
The intruders apparently replace the library
libkeyutils with a trojanised version which records user names and password pairs that are sent to the network, while providing a ready backdoor for later access. This process is less conspicuous than the previously known approach where the attackers patched the whole SSHD process.
Whether a system is affected can be determined with the help of the RPM package manager:
rpm -qfV /lib*/libkeyutils*
The package manager checks the MD5 hashes of its package database with found files and reports any discrepancies. On Debian systems, the utility
debsums provides similar functionality by must be installed first. In theory a rootkit could manipulate any of these tests, but on the analysed systems this was not the case.
Update (19:40) - This article has been updated to include an improved test which also checks /lib64. Thanks to Bernhard Wiedemann and Matthias Eckermann.